🇨🇳
EMISSARY PANDA
APT Group
Information theft and espionage
12 zero-day CVEs
ETDA ✓
Also Known As 15 names
BRONZE UNION
Budworm
Circle Typhoon
Earth Smilodon
G0027
GreedyTaotie
Group 35
Iron Taurus
Iron Tiger
Linen Typhoon
Lucky Mouse
Red Phoenix
TEMP.Hippo
TG-3390
ZipToken
Target Countries 17
Countries highlighted in red
Australia
Canada
China
Germany
Spain
Hong Kong
Israel
India
Islamic Republic of Iran
Japan
Republic of Korea
Mongolia
Philippines
Thailand
Turkey
Province of China Taiwan
United States
Sectors Targeted
Education
Computer Systems Design and Related Services
54151
Embassies
Government
Manufacturing
Aviation
Telecommunications
Aerospace
Defense
Think Tanks
Technology
Details
Origin
🇨🇳 CN
Last Updated
24 Jul 2025
Malware Families 6
Netsupport Manager
netsupportmanager_rat
hyperssl
unidentified_080
twoface
polpo
MITRE ATT&CK 96
T1003 - OS Credential Dumping
T1003.001
T1003.008 - /etc/passwd and /etc/shadow
T1005 - Data from Local System
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1020 - Automated Exfiltration
T1021 - Remote Services
T1021.001 - Remote Desktop Protocol
T1027 - Obfuscated Files or Information
T1033
T1036 - Masquerading
T1039 - Data from Network Shared Drive
T1041 - Exfiltration Over C2 Channel
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1048
T1049 - System Network Connections Discovery
T1053 - Scheduled Task/Job
T1055 - Process Injection
T1056 - Input Capture
T1057 - Process Discovery
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1068 - Exploitation for Privilege Escalation
T1070 - Indicator Removal on Host
T1070.004
T1071 - Application Layer Protocol
T1071.001
T1078 - Valid Accounts
T1078.001
T1078.004 - Cloud Accounts
T1082 - System Information Discovery
T1083
T1087 - Account Discovery
T1090 - Proxy
T1095
T1102
T1105
T1110
T1112
T1113
T1119 - Automated Collection
T1123 - Audio Capture
T1124
T1127 - Trusted Developer Utilities Proxy Execution
T1132 - Data Encoding
T1133 - External Remote Services
T1134 - Access Token Manipulation
T1140 - Deobfuscate/Decode Files or Information
T1176 - Browser Extensions
T1189
T1190 - Exploit Public-Facing Application
T1195
T1199 - Trusted Relationship
T1201
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1210 - Exploitation of Remote Services
T1213 - Data from Information Repositories
T1404 - Exploit OS Vulnerability
T1412 - Capture SMS Messages
T1429 - Capture Audio
T1432 - Access Contact List
T1486 - Data Encrypted for Impact
T1489
T1490 - Inhibit System Recovery
T1496 - Resource Hijacking
T1498 - Network Denial of Service
T1505 - Server Software Component
T1505.003 - Web Shell
T1512 - Capture Camera
T1514 - Elevated Execution with Prompt
T1518
T1530 - Data from Cloud Storage Object
T1543
T1547 - Boot or Logon Autostart Execution
T1548
T1552 - Unsecured Credentials
T1552.001 - Credentials In Files
T1553
T1555
T1560 - Archive Collected Data
T1562
T1564
T1566 - Phishing
T1566.001
T1567
T1570 - Lateral Tool Transfer
T1573 - Encrypted Channel
T1574 - Hijack Execution Flow
T1574.002
T1590 - Gather Victim Network Information
T1595
T1602 - Data from Configuration Repository